Amendments to the Claims 

1 . (Currently Amended) A method for preventing packet retransmissions during 
Internet Protocol security (IPsec) security association establishment comprising: 
interc e pting a Transmission Control Protocol (TCP) conn e ction request by an 

application; 
n e gotiating for a s e curity association; 
establishing th e s e curity association; and 

allowing th e TCP conn e ction r e quest to proc ee d aft e r th e s e curity association is 

e stablish e d. 
monitoring application socket requests; 

requesting a Transmission Control Protocol (TCP) connection by an application; 
determining if there is an active IPsec security association that exists to protect 

network flow associated with the connection request; 
preventing the connection request from proceeding to the TCP/IP layer if no 

active IPsec security association exists to protect the network flow; 
determining if an IPsec security policy exists for the network flow if no active 

IPsec security association exists to protect the network flow; 
alerting a security association negotiation component to initiate negotiation for the 

IPsec security association based on the IPsec security policy if the IPsec 

security policy exists for the network flow; and 
allowing the connection request to proceed if one of the active IPsec security 

association exists and the IPsec security association is established from the 

negotiation. 
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2. (Currently Amended) The method of claim 1 , wherein the IPsec security 
association comprises an Internet Key Exchange (IKE) component. 

3. (Currently Amended) The method of claim 1 , wherein the IPsec security 
association is based on one or more o f th e following : 

a source Internet Protocol (IP) address; 

a destination IP address; 

a protocol; 

a source port; and 

a destination port. 

4. (Currently Amended) The method of claim 3, wherein the protocol comprises 
one or more o f th e following : 

TCP; 

User Datagram Protocol (UDP); 

Internet Control Message Protocol (ICMP); and 

Internet Group Management Protocol (IGMP). 

5. (Cancelled) 

6. (Currently Amended) The method of claim 1, further comprising retrieving the 
IPsec security association from a database. 
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7. (Currently Amended) The method of claim 6, wherein the database contains 
mappings between network flow information and the IPsec security association. 

8. (Currently Amended) The method of claim 7, wherein the network flow 
information comprises one or more o f the following : 

a source Internet Protocol (IP) address; 

a destination IP address; 

a protocol; 

a source port; and 

a destination port. 

9. (Currently Amended) The method of claim 1 , further comprising retrieving the 
IPsec security policy from the database. 

10. (Currently Amended) A method for preventing packet retransmissions during 
Internet Protocol security (EPsec) security association establishment comprising: 
monitoring application socket requests; 

requesting transmission of Us e r Datagram Protocol (UDP) data on a socket by an 
application; 

int e rc e pting th e transmission of th e UDP data on the sock e t by th e application; 

determining if the socket has been associated with an active IPsec security 
association; 
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determining if there is a defined IPsec security association that maybe used to 

protect network flow if the socket has not been associated with an active 

IPsec security association; 
determining what IPsec security policy should be used when negotiating a an 

IPsec security association for the network flow if there is no defined IPsec 

security association that may be used to protect the network flow; 
preventing the data from being sent to the TCP/IP layer if there is no defined 

IPsec security association that may be used to protect the network flow; 
alerting a security association negotiation component to initiate negotiation for the 

IPsec security association if there is no defined IPsec security association 

that may be used to protect the network flow; 
establishing the IPsec security association; and 

allowing the UDP data to be sent in response to establishment of the IPsec 
security association. 



1 1 . (Previously Presented) The method of claim 10, wherein the security association 
negotiation component comprises an Internet Key Exchange (IKE) component. 



12. (Currently Amended) The method of claim 10, comprising negotiating for the 
IPsec security association using IPsec security parameters specified by the IPsec 
security policy. 
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13. (Currently Amended) The method of claim 10, wherein the second determining 
comprises comparing filters with one or more o f the following : 
a source Internet Protocol (IP) address; 
a destination IP address; 
a protocol; 
a source port; and 

a destination port, wherein the destination port includes one or more of the 
following 

a source Internet Protocol (IP) address, 

a destination IP address, 

a protocol, 

a source port, and 

a destination port related to the network flow. 



14. (Currently Amended) The method of claim 13, wherein each filter comprises one 
or more o f th e following : 

a source Internet Protocol (IP) address; 

a destination IP address; 

a protocol; 

a source port; and 

a destination port. 



15. (Currently Amended) The method of claim 13, wherein the IPsec security policy 
comprises at least one filter. 
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1 6. (Currently Amended) The method of claim 1 0, further comprising determining if 
the network flow can be allowed without the IPsec security association if no IPsec 
security policy exists for the network flow. 

17. (Currently Amended) A system comprising: 
a network; 

a network interceptor between the application layer and the TCP/IP layer coupled 
with the network, the network interceptor to monitor an application's 
socket requests int e rcept a Transmission Control Protocol (TCP) 
conn e ction r e qu e st by an application; 

a security association database coupled to the network interceptor, the security 

association database containing a mapping of network flow information to 
Internet Protocol security (IPsec) security association information; 

a security policy database coupled to the network interceptor, the security policy 
database containing policies that describe parameters that are to be used in 
a negotiation of an IPsec security association; 

a security association negotiation component coupled with the network 

interceptor, the security association negotiation component to negotiate a 
anffsec security associatio n and to establish the IPsec security 
association ; and 

the network interceptor to allow the TCP connection request to proceed after the 

IPsec security association is established; and 
an (IPsec) packet classifier, the IPsec packet classifier responsible for performing 

IPsec processing on incoming and outgoing packets, wherein the network 
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interceptor insures that an EPsec security association is in place before 



allowing network traffic to flow between the application and the TCP/IP 



layer . 



1 8. (Currently Amended) The system of claim 17, wherein the network flow 
information comprises one or more o f th e following : 
Internet Protocol (IP) addresses; 
a protocol; and 
ports. 



19. (Cancelled) 



20. (Currently Amended) A machine-readable medium having stored thereon data 
representing sets of instructions which, when executed by a machine, cause the 
machine to: 

int e rcept a Transmission Control Protocol (TCP) conn e ction r e qu e st by an 

application; 
n e gotiat e for a s e curity association; 
e stablish th e s e curity association; and 

allow th e TCP conn e ction r e qu e st to proc ee d aft e r th e s e curity association is 

e stablish e d. 
monitor application socket requests; 

request a Transmission Control Protocol (TCP) connection by an application; 
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determine if there is an active Internet Protocol security (IPsec) security 
association that exists to protect network flow associated with the 
connection request; 

prevent the connection request from proceeding to the TCP/IP layer if no active 

IPsec security association exists to protect the network flow; 
determine if an IPsec security policy exists for the network flow if no active IPsec 

security association exists to protect the network flow; 
alert a security association negotiation component to initiate negotiation for an 

IPsec security association based on the IPsec security policy if the IPsec 

security policy exists for the network flow; and 
allow the connection request to proceed if one of the active IPsec security 

association exists and the IPsec security association is established from 

the negotiation. 

21 . (Previously Presented) The machine-readable medium of claim 20, wherein the 
security association negotiation component comprises an Internet Key Exchange 
(IKE) component. 

22. (Cancelled) 

23. (Currently Amended) The machine-readable medium of claim 20, wherein the 
active IPsec security association comprises one or more o f th e following : 

a source Internet Protocol (IP); 
a destination IP; 

Docket No42390P8768 9 
Application No.: 09/592,841 



a protocol; 

a source port; and 

a destination port. 



24. (Currently Amended) A machine-readable medium having stored thereon data 
representing sets of instructions which, when executed by a machine, cause the 
machine to: 

monitor application socket requests; 

request transmission of Us e r Datagram Protocol (UDP) data on a socket by the 
application; 

int e rc e pt th e transmission of th e UDP data on th e sock e t by tho application; 

determine if the socket has been associated with an active IPsec security 
association; 

determine if there is a defined IPsec security association that may be used to 

protect network flow if the socket has not been associated with an active 

IPsec security association; 
determine what IPsec security policy should be used when negotiating a -an IPsec 

security association for the network flow if there is no defined IPsec 

security association that may be used to protect the network flow; 
prevent the data from being sent to the TCP/IP layer if there is no defined IPsec 

security association that may be used to protect the network flow; 
alert a security association negotiation component to initiate negotiation for the 

IPsec security association if there is no defined IPsec security association 

that may be used to protect the network flow; 
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establish the IPsec security association; and 

allow the UDP data to be sent in response to establishment of the IPsec security 
association. 

25. (Previously Presented) The machine-readable medium of claim 24, wherein the 
security association negotiation component comprises an Internet Key Exchange 
(IKE) component. 

26. (Currently Amended) The machine-readable medium of claim 24, further cause 
the machine to negotiate for the IPsec security association using IPsec security 
parameters specified by a an IPsec security p olicy. 

27. (Currently Amended) The machine-readable medium of claim 24, wherein the 
active IPsec security association comprises one or more o f th e following : 

a source Internet Protocol (IP); 

a destination IP; 

a protocol; 

a source port; and 

a destination port. 

28-29. (Cancelled) 

30. (New) The system of claim 17, wherein the IPsec security association comprises 
an Internet Key Exchange (IKE) component. 

Docket No42390P8768 1 1 

Application No.: 09/592,841 



